- Forum
- Windows Programming
- How do Antivirus software disinfect mali
How do Antivirus software disinfect malicious files ???
Pages: 12
closed account (3hMz8vqX)
Hi all,
How do Antivirus software disinfect malicious files ???
Thankyou everyone in advance!!! :)
How do Antivirus software disinfect malicious files ???
Thankyou everyone in advance!!! :)
closed account (13bSLyTq)
huh...you again?
You can't just disinfect a file like that, you need to understand File Bytes, PE format as most Malware tend to modify the PE slightly to avoid debugging and such. I am CBA to explain this to you as you don't learn.
Sorry but you are too ahead of your self.
You can't just disinfect a file like that, you need to understand File Bytes, PE format as most Malware tend to modify the PE slightly to avoid debugging and such. I am CBA to explain this to you as you don't learn.
Sorry but you are too ahead of your self.
closed account (3hMz8vqX)
Hi all,
Why isnt anyone responding to my questions???
I am not getting that much response from people...
Im a student interested in security software development...
I cant get some good information on this subject...?
thats why I ask questions on this forum ...
Please help me guys...
sorry, if I have made any mistake , please help me guys...
I dont want any direct code but only small snippets just the path to follow ...:)
Thankyou everyone in advance!!! :)
Why isnt anyone responding to my questions???
I am not getting that much response from people...
Im a student interested in security software development...
I cant get some good information on this subject...?
thats why I ask questions on this forum ...
Please help me guys...
sorry, if I have made any mistake , please help me guys...
I dont want any direct code but only small snippets just the path to follow ...:)
Thankyou everyone in advance!!! :)
closed account (13bSLyTq)
Sorry, but I told you the path to follow - next student or not you should be able to conduct your own research. Nevertheless in real-time programmers research comes into play, heavily.
Learn Debugging, Learn Windows API strongly. I went through the same procedure as you but I researched and studied and did not ask for source codes.
Learn Debugging, Learn Windows API strongly. I went through the same procedure as you but I researched and studied and did not ask for source codes.
closed account (3hMz8vqX)
@OrionMaster:
So how will you understand file bytes?
PE format ?
etc etc etc
Help me!
So how will you understand file bytes?
PE format ?
etc etc etc
Help me!
closed account (13bSLyTq)
Hi,
Again this is too generic for anyone to answer without you bringing 10x questions,
To understand file bytes, you must understand how a Normal File than a Infected file looks and compare the bytes to see the difference and such and find a similar pattern or any same pattern you have observed.
As for PE format, it is a bit more complex and require Expert level in Windows API.
Look here:
http://msdn.microsoft.com/en-us/library/ms809762.aspx
To be fair man, you lack the knowledge of basic(s) of research - I always try my best to guide everyone in topics I am familiar with but I tried several time with you but you just don't learn.
Look back to every question you asked and try to research without looking at the questions and you will find that you would have more information than we provided.
Again this is too generic for anyone to answer without you bringing 10x questions,
To understand file bytes, you must understand how a Normal File than a Infected file looks and compare the bytes to see the difference and such and find a similar pattern or any same pattern you have observed.
As for PE format, it is a bit more complex and require Expert level in Windows API.
Look here:
http://msdn.microsoft.com/en-us/library/ms809762.aspx
To be fair man, you lack the knowledge of basic(s) of research - I always try my best to guide everyone in topics I am familiar with but I tried several time with you but you just don't learn.
Look back to every question you asked and try to research without looking at the questions and you will find that you would have more information than we provided.
closed account (3hMz8vqX)
Okay thankyou very much...
you know I asked a question about heuristic detection...
So relating to that how can I find if a program uses some API like MessageBox can i use GetProcAddress() ?
If I can how will I do that ?
I have no idea...
Please help!
you know I asked a question about heuristic detection...
So relating to that how can I find if a program uses some API like MessageBox can i use GetProcAddress() ?
If I can how will I do that ?
I have no idea...
Please help!
closed account (13bSLyTq)
Nope, what you do is Inject into the application then hook User32.dll!MessageBoxA or User32.dll!MessageBoxW, then in the callback everytime the function is called pass it on normally but you alert the AV process\heuristics.
After 3 or 4 sketchy functions are called you simply hook System Call stub then return 0; so the program will not work, then you suspend the process and you close the process from the kernel mode.
GL
After 3 or 4 sketchy functions are called you simply hook System Call stub then return 0; so the program will not work, then you suspend the process and you close the process from the kernel mode.
GL
closed account (3hMz8vqX)
But I found a post here that uses GetProcAddress() to detect CreateProcess API:
http://www.cplusplus.com/forum/windows/96874/
See the first post?
Thankyou in advance!!!
http://www.cplusplus.com/forum/windows/96874/
See the first post?
Thankyou in advance!!!
Last edited on
closed account (13bSLyTq)
That member was same as me, you know?
GetProcAddress is a function to get the address of the specific function, it has nothing whatsoever on seeing if the program uses. It is rarely ever used in AV.
GetProcAddress is a function to get the address of the specific function, it has nothing whatsoever on seeing if the program uses. It is rarely ever used in AV.
closed account (13bSLyTq)
No, unless you want to do IAT hooking, PE File Injection based hooking - Kernel Level Hooking.
closed account (3hMz8vqX)
Okay,
so AVs create a hexdump of an exe and then scan it and check if it is malware?
so AVs create a hexdump of an exe and then scan it and check if it is malware?
closed account (13bSLyTq)
This is the problem, with hex dumps:
- If the Malware PE file is too large it can take 5 minutes to get the hex dump
- Hex dumps needs usage amount of analytic skill, which is not needed
- Malwares can use honey-file techniques to detect Anti-Malware targets
- Hex dump can be evaded by compression\cryptic softwares fairly easily
These are few problems, I can say - I have dozen still left in my head still.
A more revolutionized technique would be MD5 file scanning, as this is quicker and needs less skill to implement.
In addition MD5 is lightweight, so local computers can download millions of MD5 file signatures in order to check for Malware.
As the technology advances, so do hackers therefore heuristic scanning is the most effective AV technologies in place. Once a heuristic algorithm is programmed properly, it can defend 0-day attacks\malwares as well, in addition it is very effective in long-term, as Developers\Malware Analysts do not need to work every single day analysing millions of pieces of Malware.
- If the Malware PE file is too large it can take 5 minutes to get the hex dump
- Hex dumps needs usage amount of analytic skill, which is not needed
- Malwares can use honey-file techniques to detect Anti-Malware targets
- Hex dump can be evaded by compression\cryptic softwares fairly easily
These are few problems, I can say - I have dozen still left in my head still.
A more revolutionized technique would be MD5 file scanning, as this is quicker and needs less skill to implement.
In addition MD5 is lightweight, so local computers can download millions of MD5 file signatures in order to check for Malware.
As the technology advances, so do hackers therefore heuristic scanning is the most effective AV technologies in place. Once a heuristic algorithm is programmed properly, it can defend 0-day attacks\malwares as well, in addition it is very effective in long-term, as Developers\Malware Analysts do not need to work every single day analysing millions of pieces of Malware.
closed account (3hMz8vqX)
Okay, can you please teach me of the basics of heuristic detection?
Thankyou in advance!!! :)
Thankyou in advance!!! :)
Last edited on
All you do is asking questions... if you want to be programmer you must find answers yourself, not just blindlessly ask for help all the time.
Otherwise people will stop respecting you since you want your work to be done by someone else.
If you google "heuristic detection" you will find tons of descriptions, examples and forum topics.
Otherwise people will stop respecting you since you want your work to be done by someone else.
If you google "heuristic detection" you will find tons of descriptions, examples and forum topics.
Heuristic detection is just a fancy way of saying it recognize certen "signatures" in your file.
In short it recognizes a certen algorithm, API calls, and so fourth.
AV uses this method to detect a certen class/ or category of maleware.
e.g: If you call lets say WriteProcessMemory http://msdn.microsoft.com/en-us/library/windows/desktop/ms681674(v=vs.85).aspx
Or ReadProcessMemory http://msdn.microsoft.com/en-us/library/windows/desktop/ms680553(v=vs.85).aspx
A AV most likely wouldn't give you a Warning.
But use it together with CreateProcess http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx
It may give you a false positive on your file and flag it as a maleware.
When it comes to the question about GetProcAddress() http://msdn.microsoft.com/en-us/library/windows/desktop/ms683212(v=vs.85).aspx
It is used in combination with GetModuleHandle() http://msdn.microsoft.com/en-us/library/ms683199(v=vs.85).aspx
After defining a type type you can.
Call the GetProcAddress on the HMODULE handle of the DLL with the name (string) of the function you want. GetProcAddress will then return the address of the function you specifyd in the string this method is called Dynamic Linking and/or code Obfuscation And it prevents the AV form detecting the API call and thus not getting detected. This is a method malewares use to prevent detection and I can't think that AVs use this much.
Hope this answers some questions..
In short it recognizes a certen algorithm, API calls, and so fourth.
AV uses this method to detect a certen class/ or category of maleware.
e.g: If you call lets say WriteProcessMemory http://msdn.microsoft.com/en-us/library/windows/desktop/ms681674(v=vs.85).aspx
Or ReadProcessMemory http://msdn.microsoft.com/en-us/library/windows/desktop/ms680553(v=vs.85).aspx
A AV most likely wouldn't give you a Warning.
But use it together with CreateProcess http://msdn.microsoft.com/en-us/library/windows/desktop/ms682425(v=vs.85).aspx
It may give you a false positive on your file and flag it as a maleware.
When it comes to the question about GetProcAddress() http://msdn.microsoft.com/en-us/library/windows/desktop/ms683212(v=vs.85).aspx
It is used in combination with GetModuleHandle() http://msdn.microsoft.com/en-us/library/ms683199(v=vs.85).aspx
After defining a type type you can.
Call the GetProcAddress on the HMODULE handle of the DLL with the name (string) of the function you want. GetProcAddress will then return the address of the function you specifyd in the string this method is called Dynamic Linking and/or code Obfuscation And it prevents the AV form detecting the API call and thus not getting detected. This is a method malewares use to prevent detection and I can't think that AVs use this much.
Hope this answers some questions..
Last edited on
closed account (13bSLyTq)
Hi,
Aravind, sorry you must start looking. I know this (heuristic) backward up, but there are so much resources available look they are floating around.
Aravind, sorry you must start looking. I know this (heuristic) backward up, but there are so much resources available look they are floating around.
Pages: 12